|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We rely on information technology and data to operate our business of developing product candidates and providing contract research services. Our critical information technology resources include computer networks and hardware, third party hosted services, communications systems and software, and critical data including confidential, personal, proprietary and sensitive data (collectively, “Information Assets”). To operate our business, we also utilize certain third-party service providers to perform a variety of functions, such as professional services, SaaS platforms, managed services, cloud-based infrastructure, encryption and authentication technology, corporate productivity services, and other functions. Accordingly, we have implemented and maintain certain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess and manage potential material impact to our business. We implement and maintain various information security and risk management processes designed to protect the confidentiality, integrity, and availability of our Information Assets and mitigate harm to our business.
We rely on a multidisciplinary team (including members from information technology (“IT”), which reports to our Chief Financial Officer, finance, and legal, as well as third party service providers as described further below) to identify, assess, and manage cybersecurity threats that could impact our business. We assess the likelihood that such threats could result in a material impact to our Information Assets, operations, ability to provide our services, core business functions, personnel, reputation and identified critical business objectives.
Risks from cybersecurity threats are among those that we address in our general risk management program. We identify, assess, and manage such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, conducting scans of the threat environment, and conducting vulnerability assessments. We also engage third parties to conduct annual penetrations tests, as well as to provide threat and security risk assessments and intelligence feeds.
Based on our assessment process and depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate such risks and potential material impacts. These measures we implement for certain of our Information Assets include: policies and procedures designed to address cybersecurity threats, including an incident response plan; incident detection and response; risk assessments; background checks on our personnel; encryption of data; network security controls; data segregation; access controls; physical security; asset management, tracking and disposal; employee security training; penetration testing; and cyber insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, the IT department works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.
We work with third parties from time to time that assist us to identify, assess, and manage material risks from cybersecurity threats, including, for example, professional services firms (including legal counsel), threat intelligence service providers, cybersecurity software providers, managed cybersecurity service providers, forensic investigators, and penetration testing firms.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, refer to “Item 1A. Risk factors” in this Annual Report, including “If our information technology systems, those of third parties upon which we rely, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Based on our assessment process and depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate such risks and potential material impacts. These measures we implement for certain of our Information Assets include: policies and procedures designed to address cybersecurity threats, including an incident response plan; incident detection and response; risk assessments; background checks on our personnel; encryption of data; network security controls; data segregation; access controls; physical security; asset management, tracking and disposal; employee security training; penetration testing; and cyber insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, the IT department works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our board of directors, through its Audit Committee, is responsible for overseeing the Company’s risk management strategy with respect to cybersecurity threats. The Audit Committee is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our cybersecurity incident response plan and information security incidence response procedures are designed to escalate certain cybersecurity incidents to members of finance and legal, depending on the circumstances, who report to the Chief Financial Officer and the General Counsel. The Chief Financial Officer and the General Counsel work with our cybersecurity incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our cybersecurity incident response plan includes reporting to the Audit Committee for certain cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Financial Officer who is supported by our IT department which includes personnel with experience overseeing and working with various cybersecurity tools. For example, our Senior Director of IT has over 20 years of experience in IT infrastructure and cybersecurity, with extensive expertise in security frameworks, regulatory compliance, and cloud infrastructure management.
Our cybersecurity risk management strategy relies on input from management to help us understand cybersecurity risks, establish priorities, and determine the scope and details of our cybersecurity program and to implement it. Management, including our Chief Financial Officer, is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Management, including our Chief Financial Officer and General Counsel, is also responsible for hiring appropriate personnel, engaging third party vendors, integrating cybersecurity considerations into the Company’s overall risk management strategy, approving cybersecurity policies and procedures, and overseeing employee training. Our cybersecurity incident response process involves members of management who also participate in our disclosure controls and procedures.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Chief Financial Officer
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Financial Officer who is supported by our IT department which includes personnel with experience overseeing and working with various cybersecurity tools. For example, our Senior Director of IT has over 20 years of experience in IT infrastructure and cybersecurity, with extensive expertise in security frameworks, regulatory compliance, and cloud infrastructure management.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Members of management meet periodically with the IT department to discuss cybersecurity risk and to review our cybersecurity program, and report to the Audit Committee. The Audit Committee holds meetings biannually to discuss cybersecurity issues including our cybersecurity threats, and has a dedicated agenda during such meetings that is designed to assist the Audit Committee to exercise its oversight function. These meetings involve regular presentations and reports from management and third party providers, including updates of contemporary cybersecurity threats faced by us and steps we are taking to address them.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef